Move to recommended matomo nginx config

2018-10-20 07:55:02 +00:00 · 2018-10-20 07:55:02 +00:00 · 15969a4411
parent 4fde8d58e5
commit 15969a4411
1 changed files with 44 additions and 6 deletions
--- a/nginx-conf/matomo.conf
+++ b/nginx-conf/matomo.conf
@ -13,12 +13,10 @@ server {
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

-    root /var/www/html/;
-    index index.php index.html index.htm;
+    add_header Referrer-Policy origin;

-    location / {
-      try_files $uri $uri/ =404;
-    }
+    root /var/www/html/;
+    index index.php;

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
@ -31,7 +29,7 @@ server {
      access_log off;
    }

-    location ~ \.php$ {
+    location ~ ^/(index|matomo|piwik).php {
      fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
      fastcgi_param  SERVER_SOFTWARE    nginx;
      fastcgi_param  QUERY_STRING       $query_string;
@ -49,9 +47,49 @@ server {
      fastcgi_param  SERVER_ADDR        $server_addr;
      fastcgi_param  SERVER_PORT        $server_port;
      fastcgi_param  SERVER_NAME        $server_name;
+      fastcgi_param  HTTP_PROXY         "";
      fastcgi_intercept_errors on;
      fastcgi_pass matomo_backend;
    }
+
+    location ~* ^.+\.php$ {
+        deny all;
+        return 403;
+    }
+
+    location / {
+      try_files $uri $uri/ =404;
+    }
+
+    ## disable all access to the following directories
+    location ~ /(config|tmp|core|lang) {
+        deny all;
+        return 403; # replace with 404 to not show these directories exist
+    }
+
+    location ~ /\.ht {
+        deny  all;
+        return 403;
+    }
+
+    location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
+        allow all;
+        ## Cache images,CSS,JS and webfonts for an hour
+        ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade4
+        expires 1h;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+    }
+
+    location ~ /(libs|vendor|plugins|misc/user) {
+        deny all;
+        return 403;
+    }
+
+    ## properly display textfiles in root directory
+    location ~/(.*\.md|LEGALNOTICE|LICENSE) {
+        default_type text/plain;
+    }
 }

 server {